Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking
«938 »
 
  • Post
  • Reply
Shame Boy
Mar 2, 2010

flakeloaf posted:

Assbag system can't distinguish between the string null and actual null

Yay lowest bidder

look we made the database with NOT NULL like 15 years ago and the guy who worked here who knew how to do database things left 10 years ago and now we need to be able to support records with nulls, what the gently caress else are we going to do than just store the string "NULL" huh smartass :colbert:

quote:

After contacting the DMV and the LAPD, and painstakingly explaining his situation, they both told him the same thing: change your plates.

"I said, 'No, I didn’t do anything wrong.'"

But the tickets were still piling up. Thankfully, the DMV contacted the private citation processing company, which then erased the $12,000 in fines. However, and this part is key, they didn't actually fix the problem with their system.

Droogie explained that, as of present, tickets are still being associated with his license plate and the system thinks he owes over $6,000.

lmao

* # ? Aug 12, 2019 22:15
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 27, 2024 19:58
  • Quote
The_Franz
Aug 8, 2003

 there are other variants of this out there. people with custom plates that say things like "NO PLATE" or "MISSING" have been bombarded with unpaid tickets

* # ? Aug 12, 2019 23:32
  • Quote
CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Janitor Prime posted:

https://mashable.com/article/dmv-vanity-license-plate-def-con-backfire/

Idiot buys vanity NULL license plate, some system somewhere starts sending him a bunch of unpaid tickets. :owned:

The Idiot is whoever designed that system.

* # ? Aug 12, 2019 23:55
  • Quote
Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug

Shame Boy posted:

look we made the database with NOT NULL like 15 years ago and the guy who worked here who knew how to do database things left 10 years ago and now we need to be able to support records with nulls, what the gently caress else are we going to do than just store the string "NULL" huh smartass :colbert:


lmao

yeah once you get in the habit of having the company cancel all your unpaid tickets you’re basically a billionaire in terms of committing crimes and getting away with them

drive 80, run lights, park anywhere for free

* # ? Aug 13, 2019 02:37
  • Quote
~Coxy
Dec 9, 2003

R.I.P. Inter-OS Sass - b.2000AD d.2003AD
for a long time in my state if you had a 9 character vanity plate the fines you would get in the mail would only have 8 characters. you could reply to them saying that the plate wasn't yours and they would withdraw them.

* # ? Aug 13, 2019 02:45
  • Quote
flakeloaf
Feb 26, 2003

Still better than android clock

 according to this morning's sa banner ads, ashley madison is apparently still a thing?

* # ? Aug 13, 2019 14:26
  • Quote
BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

flakeloaf posted:

according to this morning's sa banner ads, ashley madison is apparently still a thing?

connect with other horny dads in your area

* # ? Aug 13, 2019 14:38
  • Quote
7of7
Jul 1, 2008
 Sure, posting Taviso is easy mode but this thing he just posted is mind blowing.

Completely unauthenticated message passing and method execution across Windows applications at any privilege level.

* # ? Aug 13, 2019 15:43
  • Quote
Shame Boy
Mar 2, 2010

7of7 posted:

Sure, posting Taviso is easy mode but this thing he just posted is mind blowing.

Completely unauthenticated message passing and method execution across Windows applications at any privilege level.

quote:

You might have noticed the ctfmon service in task manager, it is responsible for notifying applications about changes in keyboard layout or input methods.

ohhh that's what c'tuffmon does

* # ? Aug 13, 2019 16:01
  • Quote
Jabor
Jul 16, 2010

#1 Loser at SpaceChem
ctfmon?

run strings on it and see if there's a flag{} somewhere

* # ? Aug 13, 2019 16:04
  • Quote
Midjack
Dec 24, 2007



 ctfmon, i choose you!

* # ? Aug 13, 2019 16:07
  • Quote
flakeloaf
Feb 26, 2003

Still better than android clock

 capture the flag monitor

* # ? Aug 13, 2019 16:17
  • Quote
Shame Boy
Mar 2, 2010

quote:

I decided to just call every possible index to see what happened.

i'm glad tavis uses the same debug techniques that i do, it makes me feel less stupid :v:

* # ? Aug 13, 2019 16:28
  • Quote
Winkle-Daddy
Mar 10, 2007

tavis posted:

Bonus... can you pop calc in calc?
In Windows 10, Calculator uses AppContainer isolation, just like Microsoft Edge. However the kernel still forces AppContainer processes to join the ctf session.
code:
ctf> scan
Client 0, Tid 2880 (Flags 0x08, Hwnd 00000B40, Pid 3048, explorer.exe)
Client 1, Tid 8560 (Flags 0x0c, Hwnd 00002170, Pid 8492, SearchUI.exe)
Client 2, Tid 11880 (Flags 0x0c, Hwnd 00002E68, Pid 14776, Calculator.exe)
Client 3, Tid 1692 (Flags 0x0c, Hwnd 0000069C, Pid 15000, MicrosoftEdge.exe)
Client 4, Tid 724 (Flags 0x0c, Hwnd 00001C38, Pid 2752, MicrosoftEdgeCP.exe)
This means you can compromise Calculator, and from there compromise any other CTF client.. even non AppContainer clients like explorer.
On Windows 8 and earlier, compromising calc is as simple as any other CTF client.
So yes, you can pop calc in calc

lmbo

* # ? Aug 13, 2019 16:38
  • Quote
Raere
Dec 13, 2007

Winkle-Daddy posted:

lmbo

yo dog i heard you like calc so i put a calc in your calc so you can calc while you calculate

* # ? Aug 13, 2019 16:45
  • Quote
Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug

quote:

A note about ASLR...
The entire base system in Windows 10 uses ASLR, but image randomization on Windows is per-boot, not per-process. This means that we can reliably guess the location of code. Unfortunately, the stack is randomized per-process. If we want to use data from the stack we need to leak a pointer.
It turns out that compromising the server is trivially easy, because as part of the CTF marshalling protocol, the monitor actually tells you where it's stack is located ¯\_(ツ)_/¯.

lmao

flakeloaf posted:

capture the flag monitor

we always called it "scorebot"

* # ? Aug 13, 2019 16:51
  • Quote
CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

Cocoa Crispies posted:

lmao

imagine using windows for anything sensitive jesus christ

* # ? Aug 13, 2019 16:56
  • Quote
Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug

CRIP EATIN BREAD posted:

imagine using windows for anything sensitive jesus christ

like, I bet every other desktop os has similar poo poo going on under the hood

windows is amazing though because there's no such thing as a server build that doesn't ship with fool rear end poo poo on par with rendering fonts in the kernel

* # ? Aug 13, 2019 17:16
  • Quote
Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

7of7 posted:

Sure, posting Taviso is easy mode but this thing he just posted is mind blowing.

Completely unauthenticated message passing and method execution across Windows applications at any privilege level.

yeehaw

* # ? Aug 13, 2019 17:39
  • Quote
pseudorandom name
May 6, 2007

 ASLR is per-boot because DLLs aren’t position independent, iirc

* # ? Aug 13, 2019 17:52
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Shame Boy posted:

ohhh that's what c'tuffmon does
same

the back and forth with microsoft on it is good as well: https://bugs.chromium.org/p/project-zero/issues/detail?id=1859

* # ? Aug 13, 2019 17:53
  • Quote
Raere
Dec 13, 2007

 I remember ctfmon as one of those processes in the XP days when you were trying to kill as many processes as possible to free up memory on systems with 192MB of RAM.

* # ? Aug 13, 2019 17:57
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Raere posted:

I remember ctfmon as one of those processes in the XP days when you were trying to kill as many processes as possible to free up memory on systems with 192MB of RAM.
same, it was always in the pile of processes of "surely someone's investigated this for security issues by now"

turns out everyone else thought the same thing

* # ? Aug 13, 2019 18:00
  • Quote
The Fool
Oct 16, 2003

Tavis, about MS posted:

Perhaps that means they're supremely confident they completely understand all facets of the issue and have an airtight solution, and were just flexing by wasting the first 30 days of their embargo.

loving lol

* # ? Aug 13, 2019 18:02
  • Quote
Shame Boy
Mar 2, 2010

Raere posted:

I remember ctfmon as one of those processes in the XP days when you were trying to kill as many processes as possible to free up memory on systems with 192MB of RAM.

lmao yeah i was gonna say that, whenever i wanted to get the maxxxxx frames in half life 2 or whatever it was the first "i don't know what it does but it's using memory" thing i'd look for to axe

i also got real good at telling which svchosts can be safely killed and which would crash the desktop just by looking at their memory footprint :v:

* # ? Aug 13, 2019 18:09
  • Quote
Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug

The Fool posted:

loving lol
loving raw

quote:

Comment 21 by taviso@google.com on Tue, Aug 13, 2019, 12:56 PM EDT (9 minutes ago)
Apparently this attachment is necessary because Microsoft employees can't count.
* # ? Aug 13, 2019 18:10
  • Quote
NFX
Jun 2, 2008

Fun Shoe
e: help please delete

* # ? Aug 13, 2019 18:10
  • Quote
NFX
Jun 2, 2008

Fun Shoe

Cocoa Crispies posted:

loving raw

lmao

* # ? Aug 13, 2019 18:10
  • Quote
Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

 do not ever gently caress with taviso

* # ? Aug 13, 2019 18:23
  • Quote
Grace Baiting
Jul 20, 2012

Audi famam illius;
Cucurrit quaeque
Tetigit destruens.


 @tavisowns

* # ? Aug 13, 2019 18:23
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 going through some patch tuesday cves:

rdp pre-auth rces:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222 (microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226 (microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182 (microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 (microsoft)

.lnk vuln, again:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1188 (team t5)

fonts, as usual:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1152 (project zero)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1151 (project zero)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1150 (project zero)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1149 (project zero)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1145 (project zero + trend micro)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1144 (project zero + trend micro)

hyper-v priv esc:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0965 (microsoft)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720 (qihoo 360 + microsoft)

dhcp client rce:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0736 (microsoft)

ALPC priv esc:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1162 (project zero)

quote:

The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
so they hit the deadline, technically?

* # ? Aug 13, 2019 18:26
  • Quote
BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

 jesus christ

* # ? Aug 13, 2019 18:29
  • Quote
The Fool
Oct 16, 2003

Wiggly Wayne DDS posted:

so they hit the deadline, technically?

Yeah, but if you read taviso's bugtracker, it's not a complete solution

* # ? Aug 13, 2019 18:29
  • Quote
The Fool
Oct 16, 2003


 Tavis deleted comment 21

* # ? Aug 13, 2019 18:31
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

The Fool posted:

Yeah, but if you read taviso's bugtracker, it's not a complete solution
ya i'm aware it's a partial fix, and the microsoft tracker says it's not publicly disclosed

lot of nice bugs this month

* # ? Aug 13, 2019 18:33
  • Quote
Phone
Jul 30, 2005

親子丼をほしい。
lmao deleted comment #21

* # ? Aug 13, 2019 18:33
  • Quote
Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!

Pillbug
lmao

* # ? Aug 13, 2019 18:38
  • Quote
Raere
Dec 13, 2007

 whole lotta people spending time in the air conditioned indoors finding exploits because it's too hot to go outside I guess

* # ? Aug 13, 2019 18:55
  • Quote
Heavy_D
Feb 16, 2002

"rararararara" contains the meaning of everything, kept in simple rectangular structures

flakeloaf posted:

Assbag system can't distinguish between the string null and actual null

Yay lowest bidder

presumably this is VLOOKUP territory

* # ? Aug 13, 2019 19:00
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 27, 2024 19:58
  • Quote
Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang

Raere posted:

whole lotta people spending time in the air conditioned indoors finding exploits because it's too hot to go outside I guess

actually tavis uses the shower

* # ? Aug 13, 2019 19:02
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking
«938 »